Share via

How to: Quick Check-List help you fast the AD/Exchange migration using Quest migration tool

One my friend reached me today asking for some help on migration project. They are using Quest to help customer to AD/Exchange migration and stuck on the huge effort for system preparation. I think Quest should already have provided tool to help get permission ready rapidly, while from project execution aspect, a proved check-list may make you more comfortable, especially when customer would like to know what changes you make to their environment.


This is the quick check-list I personally consolidated in past projects, just try it.

**Only proved on migration from Exchange Server 2003 to 2010**

Domain Preparation

Source Domain Controller (


Domain Controller Host Name


AD Site


Domain Controller IP Address


IP Setting: DNS Servers


IP Setting: WINS Server


Domain Controller Operating system


Domain Controller Roles


Domain Functional Level


Forest Functional Level


DNS Setting: List all avaialable domain zones:


DNS Setting: Conditional Forwarders


DNS Setting: Conditional Forwarders Target


Zone Transfer (Only transfer to specified IP address)


Create Second Zone


Second Zone Resolve Success


DNS FQDN Name Ping Test (on Source SPOC DCs - xxx)


FQDN Name Ping Result


NetBIOS Name Resolution


NetBIOS Name Ping Result


Windows Server Support Tools Installed


Firewall turned-off for all client PCs1. turn "Security Center" through group policy2. disable Windows Firewall service through group policy


enable GC Replication and Index for service attributes:






Target Domain Controller (


Domain Controller Host Name


AD Site


Domain Controller IP Address


IP Setting: DNS Servers


IP Setting: WINS Server


Domain Controller Operating system


Domain Controller Roles


Domain Functional Level


Forest Functional Level


DNS Setting: List all avaialable domain zones:


DNS Setting: Conditional Forwarders


DNS Setting: Conditional Forwarders Target


DNS FQDN Name Ping Test (on Target SPOC DCs - xxx)


FQDN Name Ping Result


NetBIOS Name Resolution


NetBIOS Name Ping Result


Windows Server Support Tools Installed


Firewall turned-off for all client PCs1. turn "Security Center" through group policy2. disable Windows Firewall service through group policy


enable GC Replication and Index for service attributes:








Two-way Trust Done


Disable SID filteringNetdom trust johndemo.local /domain:rogertech.local /quarantine:No /usero:administrator /passwordo:Passw0rd



Account Preparation

Single Administrative Account


Source Domain Account Preparation


built-in Administrators group on source DC


Full Control on Domain partition via ADSIEdit


Read on Configuration partition via ADSIEdit


Administrators group on all exchange servers, and other involved application servers


Full Control permission on the OUs where the source synchronized objects are located.


Full Control permission on source Exchange2003 servers HKEY_CURRENT_USER\Software\Microsoft\Exchange\ExAdminValue name: ShowSecurityPageData Type: REG_DWORDValue data: 1


Full Control permission on the Microsoft Exchange System Objects OU


Modify public folder replica list, Modify public folder deleted item retention, and Modify public folder quotas permission on the ESM administrative groups


Group Policy to add <your single administrative account> to local administrators group in all clients1. Create one Domain Local security group names as QMMAdminGroup in Target domain2. Add <your single administrative account> into QMMAdminGroup3. Modify default domain policy (or create a new one) to add this QMMAdminGroup into Administrators group on all clients


Target Domain Account Preparation


built-in Administrators group on target DC


Full Control on Domain partition via ADSIEdit


Read on Configuration partition via ADSIEdit


Full Control on Exchange organization via ADSIEditCN=<ExchangeOrganizationName>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<...>,DC=<...>


Full Control permission on the OUs where the target synchronized objects are located.


Full Control permission on the Microsoft Exchange System Objects OU


Full Control permission on each mailbox database and associated public folder databaseGet-Mailbox | Add-MailboxPermission -User <your single administrative account> -AccessRights FullAccessGet-MailboxDatabase | Add-ADPermission -User <your single administrative account> -AccessRights GenericAll -ExtendedRights Receive-As,Send-AsGet-PublicFolderDatabase | Add-ADPermission -User <your single administrative account> -AccessRights GenericAll -ExtendedRights Receive-As,Send-As


Organization Management group membership for target Exchange Server 2010


Public Folder Management group membership for target Exchange Server 2010


Recipient Management group membership for target Exchange Server 2010


Administrators group on all exchange servers, and other involved application servers


ApplicationImpersonation role on target Exchange Server 2010New-ManagementRoleAssignment –Name QMMAppImpersonation -Role ApplicationImpersonation –User <your single administrative account>


ms-Exch-EPI-May-Impersonate extended rightGet-ExchangeServer | where {$_.IsClientAccessServer -eq $TRUE} | ForEach-Object {Add-ADPermission -Identity $_.distinguishedname -User ((Get-User -Identity qmmadmin) | select-object).identity -extendedRight ms-Exch-EPI-Impersonation} Get-MailboxDatabase | ForEach-Object {Add-ADPermission -Identity $_.DistinguishedName -User <your single administrative account> -ExtendedRights ms-Exch-EPI-May-Impersonate} Get-PublicFolderDatabase | ForEach-Object {Add-ADPermission -Identity $_.DistinguishedName -User <your single administrative account> -ExtendedRights ms-Exch-EPI-May-Impersonate}


Group Policy to add <your single administrative account> to local administrators group in all clients1. Create one Domain Local security group names as QMMAdminGroup in Target domain2. Add <your single administrative account> into QMMAdminGroup3. Modify default domain policy (or create a new one) to add this QMMAdminGroup into Administrators group on all clients




QMM Console (xxx)


Grant "Log on as a service" right to <your single administrative account> via local security policy


Verify <your single administrative account> belongs to Administrators group membership



Exchange Server Preparation

Source Exchange Server - 2003


Exchange Server Name


Exchange Server IP Address


IP Setting: DNS Servers


IP Settings: WINS Server


Existing Accepted Domains


Email Redirection Target Domain SMTP namespaces


mail route SMTP name space


Smart Host Address


Mailbox Access and Email Flow Verification


Default Source Domain -> Default Target Domain


Default Source omain -> Email Redirection Target SMTP name space


Offline Address Book Downloading Availability


Create a temp Storage Group for synced mailbox-enabled objects


Exchange Server


Storage Group name


Enable "circular logging" for this storage group


Mailbox Store name


Full Backup Done


Create "Aelita EMW Recycle Bin" Public Folder


Creating Administrator Mailboxes for Public Folder, Free/Busy and Calendar Synchronization


Specifying displayName Value for source EX2K3 mailbox database via ADSIEdit1. Locate CN=First Storage Group,CN=InformationStore,CN=EX2K3,CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=Mail,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<…>,DC=<…>2. copy adminDisplayName value to displayName field.


Firewall turned-off


Target Exchange Server - 2010


Exchange Server Name


Exchange Server IP Address


IP Setting: DNS Servers


IP Settings: WINS Server


Accepted Domains


Existing Accepted Domains (Related)


Email Redirection Target Domain SMTP namespaces


Email Address Policies


Remote Domains


Add email redirection Source Domain SMTP namespace


Send Connector


mail route SMTP name space


Smart Host Address


Create Target Mailbox Database for migration


Database Name


Mount Availability


Limit Configuration Matching with policy


Public Folder Database Association


Offline Address Book Association


Default Receive Connector permission group -> Anonymous


Mailbox Access and Email Flow Verification


Default Target Domain -> Default Source Domain


Default Target Domain -> Email Redirection Source SMTP name space


Offline Address Book Downloading


Full Backup Done


Create "Aelita EMW Recycle Bin" Public Folder


Creating Administrator Mailboxes for Public Folder, Free/Busy and Calendar Synchronization


Creating Custom Throttling PoliciesNew-ThrottlingPolicy QMMExAccountThrottlingPolicySet-ThrottlingPolicy QMMExAccountThrottlingPolicy -RCAMaxConcurrency $null -RCAPercentTimeInAD $null -RCAPercentTimeInCAS $null -RCAPercentTimeInMailboxRPC $nullSet-ThrottlingPolicyAssociation -Identity <your single administrative account> -ThrottlingPolicy QMMExAccountThrottlingPolicy


Installing the Microsoft Exchange Server MAPI Client and Collaboration Data Objects 1.2.1, and Restart Server


Disable RPC Encryption on Target Exchange 2010 ServersSet-RpcClientAccess –Server EX2010.rogertech.local –EncryptionRequired $false


firewall turned-off



QMM Console Preparation

Firewall turned-off


Installing the Microsoft Exchange Server MAPI Client and Collaboration Data Objects 1.2.1, and Restart Server


Double check <your single administrative account> is in local Administrators group




Originally posted at "".